Re: [Isms] review of draft-ietf-isms-radius-usage

To: Kaushik Narayan <kaushik at cisco.com>
Subject: Re: [Isms] review of draft-ietf-isms-radius-usage
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Fri, 11 Apr 2008 09:21:11 -0700
Cc: isms at ietf.org
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
Dkim-signature: v=0.5; a=rsa-sha1; c=relaxed; d=hardakers.net; h=received:from:to:cc:subject:organization:references:date:in-reply-to:message-id:user-agent:mime-version:content-type; q=dns/txt; s=wesmail; bh=IFObCu9FulNUjGhYdA4QpY8euCI=; b=sTNK21kBDhoF/BKeqfblPkkrqapUEQrhYCfmaJuHkNpUrtoiwbV135HC6tj62QNV2Kep9elObPTFswvzpIZyKi//Lbg53nDzR9jxXi/9/1zTAUTrZHZcazjlHAi5z8xakPWNfHwS8NR3Q6WRsnpFCXRtR8c1zH5BFBxz2QigGiQ=
In-reply-to: <C424D6D4.175A9%kaushik at cisco.com> (Kaushik Narayan's message of "Fri, 11 Apr 2008 08:50:28 -0700")
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
References: <C424D6D4.175A9%kaushik at cisco.com>
Sender: isms-bounces at ietf.org
User-agent: Gnus/5.110007 (No Gnus v0.7) XEmacs/21.4.21 (linux, no MULE)

Hi Kaushik,

Thanks for the responses!

KN> You are right. Service authorization is a coarse granular mechanism
KN> to limit SNMP access only to operators/admins and deny access to a
KN> large population of users that may be authenticated by the RADIUS
KN> server. As you point out, lack of service authorization will require
KN> administrators to setup VACM and it is not a security issue but it
KN> provides ease of management.

KN> We will update the text in this section

Thanks.  Please make sure that it's clear that the important thing is
that RADIUS may propose additional restrictions, but just by using
RADIUS you still need VACM configuration in place until the "future
research" on distributing VACM content is completed.  RADIUS may result
in closing of the connection and no messages making it to the VACM
layer, but it doesn't remove the VACM layer either...

> No where in this section does it discuss the ramifications of relying on
> a centralized network based authentication system.  Looking very quickly
> (but not in detail so I may have missed it) at the other documents that
> this section references, it doesn't look like they do either.  SNMP has
> traditionally designed to be used in a way that makes it always
> available if you can get to the device in question.  The use of RADIUS
> changes this and adds additional dependencies on network availability.
> It will now possible to perform new denial of service attacks by
> attacking the infrastructure between the SNMP server using RADIUS for
> authentication and the RADIUS server providing that authentication
> back-end.  The use is certainly well justified as RADIUS will provide
> many positive benefits that may be worth the cost, but the downsides
> should still be documented.

KN> Section 4.1 of RFC3579 discusses the threat model for RADIUS. All those
KN> threats apply to usage of RADIUS in ISMS.

That section doesn't discuss my concerns above.

-- 
Wes Hardaker
Sparta, Inc.
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] review of draft-ietf-isms-radius-usage
  - From: Kaushik Narayan

References:
- Re: [Isms] review of draft-ietf-isms-radius-usage
  - From: Kaushik Narayan

Prev by Date: Re: [Isms] review of draft-ietf-isms-radius-usage
Next by Date: Re: [Isms] What granularity of attributes do we need for thesecuretransport?
Previous by thread: Re: [Isms] review of draft-ietf-isms-radius-usage
Next by thread: Re: [Isms] review of draft-ietf-isms-radius-usage
Index(es):
- Date
- Thread

Re: [Isms] review of draft-ietf-isms-radius-usage

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.